Data protection news update – October 2018

Be.infoready help organisations comply with data protection regulations. Compliance with the new data regulations can be daunting – we can simplify things.

Non-compliance can result in big fines and news headlines.

Here is our data protection news update for October:

  • The Privacy Shield

If you follow our previous be.infoready articles, you will be aware that we reported on the suspension of the Privacy Shield by the European Parliament. This follows recommendations by the WP29 (now European Data Protection Board) about the inadequacies of the EU US Privacy Shield since its inception nearly two years ago.

The deadline to review the Privacy Shield agreement is due at the end of October. But, the US ambassador to the EU has stated, “There is no non-compliance. We are fully compliant. As we’ve told the Europeans, we really don’t want to discuss this any further.” (1)

  • Morrisons

In 2014 Morrisons suffered a huge payroll data breach after one of their employees Andrew Skelton (a senior IT auditor) published 100,000 staff payroll details on the Tor network.

National Insurance numbers, bank details and salaries were shared. Mr. Skelton was jailed for 8 years. Morrisons is now involved in an appeals court class action lawsuit, that could see them paying out a large compensation claim.

Update 22nd October 2018

The appeals court have ruled against Morrisons. Morrisons had argued that “they could not be held liable for the criminal misuse of its’ data”, but the three appeals court judges upheld the decision by the High Court from December last year. Nick McAleenan representing the claimants said, “This latest judgement provides reassurance to the many millions of people in this country whose own data is held by their employer.”

Information security is a big part of GDPR and data protection laws.  Board level decisions on protecting against data breaches from hacking are high on the agenda, but what about the insider threat?

What are you doing to address these issues?  Need help? Please contact us be.infoready 

  • Google+

In a statement released in The Keyword blog post, Google announced that they potentially affected 500,000 Google+ accounts user information.  

They stated, “…as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs”, the statement continues, “We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API”.

Google’s Vice President of engineering Ben Smith described the issue:

The bug meant that apps had access to Profile fields that were shared with the user, but not marked as public. This data is limited to static, optional Google+ profile fields including name, email address, occupation, gender and age. It does not include any other data posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.

What action was taken?

Google apparently discovered and patched the bug in March 2018, which purportedly happened because of a lack of quality control after a Google+ code change.

Let’s revisit this part of the statement “Google only retains logs on this API for two weeks, so could not confirm which users were affected”.

They may need to review their retention periods?.

Not knowing who has been affected is greatly concerning and could be considered neglectful, certainly to their EU customers, under the GDPR.

Your companies privacy controls are paramount to protecting people’s information. Are you prepared? If you need help or advice, please contact us. 

 

 

 

 

 

 

 

 

 

  • Facebook (September 2018)

Facebook reported that 50 million of its users were left exposed by a security flaw. Hackers were able to access the feature known as “View As” to gain control of people’s accounts. When the breach was discovered informed police.

Facebook users that were affected by the attack were asked to re-log into their accounts.

The social media giants claim that the flaw was fixed. However, there is a possibility that other major sites, such as Airbnb and Tinder, may also have been affected.

Were you affected by the Facebook data breach? Were you informed by Facebook that there had been an issue with your account?

Facebook and Google are American companies so they have to be compliant with the Privacy Shield. Europe has to be compliant with the GDPR. The Privacy Shield and compatibility with the GDPR to provide the best insurance that our personal details are protected is a grey area. Let’s hope things become more clear.

If you are concerned about your privacy when you do anything online, especially if your information is going out of the EU, it is recommended that you read the privacy policy of the website you are putting your information on. In fact, all means of communication.

Data protection regulations can be a minefield. If you need clarity you can contact us and we will be happy to explain what you need to know and advise on what you could be doing.

Adrian McGarry

 

 

 

 

 

 

References:
  1. <https://diginomica.com/2018/10/05/the-us-is-fully-compliant-with-privacy-shield-requirements-and-theres-no-more-to-be-said-apparently/>

Also recently published